> A better tool to compare binaries is diffoscope, it can disassembles > ELF binaries and compare the assembly. > > Please upload the two tun.ko files to the trydiffoscope website so > that we can investigate the differences more closely: > > https://try.diffoscope.org/
Thanks for the tip, just did, results are here: https://try.diffoscope.org/ttrrkzfqqbre.html didn't look like code was modified, just symbols > These look like they are two different builds of the Debian Linux > kernel package. If you or your cloud provider did not rebuild the > Debian Linux kernel package, then it is possible your cloud server has > been compromised and tun.ko modified with the version from a different > build of the package. I didn't compiled myself this module, neither cloud provider I believe, bcz VPS is unmanaged. > Are there any other modified files on the system? You can use debsums to > check. > Just run it, all 65418 files came clean (OK). Also tun.ko because I restored it from linux-image-3.16.0-4-amd64_3.16.43-2+deb8u3_amd64.deb Also copied back old tun.ko (wrong MD5) and after run debsums again, it failed on tun.ko - so behaviour of tool is ok. > PS: I would suggest upgrading to Debian stretch at some point. In my plans, soon. > > -- > bye, > pabs > > https://wiki.debian.org/PaulWise > > cheers. Thanks for the help.
